Secure storage of secret data in a dispersed storage network

US 9,922,063 B2
Filed: 05/06/2013
Issued: 03/20/2018
Est. Priority Date: 12/29/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

for secure storage of a data access key of an originating device;

encrypting, by the originating device, the data access key using secret data to produce an encrypted data access key;

dispersed storage error encoding the encrypted data access key to produce a set of encoded data access key slices;

sending the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein;

transforming, by the originating device, the secret data to produce a plurality of secret data shares;

obtaining, by the originating device, unique encryption values of trusted agent modules of the DSN;

encrypting, by the originating device, the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and

sending, by the originating device, the plurality of encrypted secret data shares to the storage nodes for storage therein; and

for secure retrieval of the data access key;

sending, by the originating device, a secret data retrieval request to the trusted agent modules;

in response to the secret data retrieval request, recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes;

decrypting, by the trusted agent modules, the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values to recapture the plurality of secret data shares;

sending, by the trusted agent modules, the plurality of secret data shares to the originating device;

recovering, by the originating device, the secret data from the plurality of secret data shares;

retrieving, by the originating device, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node;

recovering, by the originating device, the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and

decrypting, by the originating device, the encrypted data access key using the recovered secret data to recover the data access key.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for secure storage of secret data begins with an originating device transforming the secret data to produce a plurality of secret data shares and encrypting the plurality of secret data shares using unique encryption values of trusted agent modules of a dispersed storage network (DSN) to produce a plurality of encrypted secret data shares for storage in storage nodes of the DSN. Retrieval of the secret data begins with the originating device sending a secret data retrieval request to the trusted agent modules and recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes. The method continues with the trusted agent modules decrypting the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values and sending the plurality of secret data shares to the originating device.

103 Citations

18 Claims

1. A method comprises:
- for secure storage of a data access key of an originating device;
  
  encrypting, by the originating device, the data access key using secret data to produce an encrypted data access key;
  
  dispersed storage error encoding the encrypted data access key to produce a set of encoded data access key slices;
  
  sending the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein;
  
  transforming, by the originating device, the secret data to produce a plurality of secret data shares;
  
  obtaining, by the originating device, unique encryption values of trusted agent modules of the DSN;
  
  encrypting, by the originating device, the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and
  
  sending, by the originating device, the plurality of encrypted secret data shares to the storage nodes for storage therein; and
  
  for secure retrieval of the data access key;
  
  sending, by the originating device, a secret data retrieval request to the trusted agent modules;
  
  in response to the secret data retrieval request, recovering, by the trusted agent modules, the plurality of encrypted secret data shares from the storage nodes;
  
  decrypting, by the trusted agent modules, the plurality of encrypted secret data shares using a decryption function corresponding to the unique encryption values to recapture the plurality of secret data shares;
  
  sending, by the trusted agent modules, the plurality of secret data shares to the originating device;
  
  recovering, by the originating device, the secret data from the plurality of secret data shares;
  
  retrieving, by the originating device, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node;
  
  recovering, by the originating device, the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and
  
  decrypting, by the originating device, the encrypted data access key using the recovered secret data to recover the data access key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the transforming the secret data comprises one or more of:
    - interleaving the secret data into the plurality of secret data shares;
      
      partitioning the secret data into the plurality of secret data shares;
      
      performing a dispersed storage error coding function on the secret data to produce the plurality of secret data shares; and
      
      performing a secret sharing function on the secret data to produce the plurality of secret data shares.
  - 3. The method of claim 1, wherein the obtaining the unique encryption values comprises:
    - identifying, by the originating device, the trusted agent modules; and
      
      retrieving the unique encryption values based on the identifying of the trusted agent modules.
  - 4. The method of claim 1, wherein the obtaining the unique encryption values comprises:
    - identifying, by the originating device, the trusted agent modules; and
      
      requesting the unique encryption values from the trusted agent modules.
  - 5. The method of claim 1, wherein one of the unique encryption values comprises one or more of:
    - a random encryption key agreed to by the originating device and one of the trusted agent modules; and
      
      a public key of a public/private key pair of the one of the trusted agent modules.
  - 6. The method of claim 5, wherein the decryption function comprises one of:
    - an inversed encryption function when the one of the unique encryption values is the random encryption key; and
      
      a private key decryption when the one of the unique encryption values is the public key.
  - 7. The method of claim 1, wherein the sending the plurality of encrypted secret data shares to the storage nodes further comprises:
    - identifying the storage nodes based on a type of the transforming.
  - 8. The method of claim 1 further comprises:
    - storing, by the originating device, association of the secret data with the trusted agent modules.
  - 9. The method of claim 1 further comprises:
    - for secure storage of the secret data of the originating device;
      
      encrypting, by the originating device, one of the plurality of secret data shares using a one of the unique encryption values associated with one of the trusted agent modules to produce one of the plurality of encrypted secret data shares; and
      
      sending, by the originating device, the one of the plurality of encrypted secret data shares to one of the storage nodes; and
      
      for secure retrieval of the secret data;
      
      in response to a secret data retrieval request, retrieving, by the one of the trusted agent modules, the one of the plurality of encrypted secret data shares from the one of the storage nodes;
      
      decrypting, by the one of the trusted agent modules, the one of the plurality of encrypted secret data shares using a decryption function corresponding to the one of the unique encryption values to recapture the one of the plurality of secret data shares; and
      
      sending, by the one of the trusted agent modules, the one of the plurality of secret data shares to the originating device.

10. A secret data storage facilitating system, wherein the system comprises:
- an originating device that includes;
  
  an interface;
  
  memory; and
  
  a processing module; and
  
  a set of trusted agent modules, wherein a trusted agent module of the set of trusted agent modules includes;
  
  an agent interface;
  
  an agent memory; and
  
  an agent processing module, whereinfor secure storage of a data access key of the originating device, the processing module of the originating device is operable to;
  
  encrypt a data access key using secret data to produce an encrypted data access key;
  
  dispersed storage error encode the encrypted data access key to produce a set of encoded data access key slices;
  
  send the set of encoded data access key slices to storage nodes of a distributed storage network (DSN) for storage therein;
  
  transform the secret data to produce a plurality of secret data shares;
  
  obtain unique encryption values of the set of trusted agent modules;
  
  encrypt the plurality of secret data shares using the unique encryption values to produce a plurality of encrypted secret data shares; and
  
  send, via the interface, the plurality of encrypted secret data shares to the storage nodes of the DSN for storage therein; and
  
  for secure retrieval of the data access key;
  
  the processing module of the originating device is operable to send, via the interface, a secret data retrieval request to the set of trusted agent modules;
  
  in response to the secret data retrieval request, the agent processing module of the trusted agent module is operable to;
  
  recover, via the agent interface, one of the plurality of encrypted secret data shares from one of the storage nodes;
  
  decrypt the one of the plurality of encrypted secret data shares using a decryption function corresponding to a unique encryption value of the trusted agent module to recapture the one of the plurality of secret data shares; and
  
  send, via the agent interface, the one of the plurality of secret data shares to the originating device;
  
  the processing module of the originating device is further operable to;
  
  recover the secret data from the plurality of secret data shares;
  
  retrieve, via the interface, at least a decode threshold number of encoded data access key slices of the set of encoded data access key slices from at least some of the storage node;
  
  recover the encrypted data access key from the at least the decode threshold number of encoded data access key slices; and
  
  decrypt the encrypted data access key using the recovered secret data to recover the data access key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the processing module of the originating device functions to transform the secret data by one or more of:
    - interleaving the secret data into the plurality of secret data shares;
      
      partitioning the secret data into the plurality of secret data shares;
      
      performing a dispersed storage error coding function on the secret data to produce the plurality of secret data shares; and
      
      performing a secret sharing function on the secret data to produce the plurality of secret data shares.
  - 12. The system of claim 10, wherein the processing module of the originating device functions to obtain the unique encryption values by:
    - identifying, by the originating device, the trusted agent modules; and
      
      retrieving the unique encryption values based on the identifying of the trusted agent modules.
  - 13. The system of claim 10, wherein the processing module of the originating device functions to obtain the unique encryption values by:
    - identifying, by the originating device, the trusted agent modules; and
      
      requesting the unique encryption values from the trusted agent modules.
  - 14. The system of claim 10, wherein one of the unique encryption values comprises one or more of:
    - a random encryption key agreed to by the originating device and one of the trusted agent modules; and
      
      a public key of a public/private key pair of the one of the trusted agent modules.
  - 15. The system of claim 14, wherein the decryption function comprises one of:
    - an inversed encryption function when the one of the unique encryption values is the random encryption key; and
      
      a private key decryption when the one of the unique encryption values is the public key.
  - 16. The system of claim 10, wherein the agent processing module of the trusted agent module further functions to send the plurality of encrypted secret data shares to the storage nodes by:
    - identifying the storage nodes based on a type of the transforming.
  - 17. The system of claim 10 further comprises:
    - the processing module of the originating device is further operable to store association of the secret data with the trusted agent modules.
  - 18. The system of claim 10 further comprises:
    - for secure storage of the secret data of the originating device, the processing module of the originating device is further operable to;
      
      encrypt one of the plurality of secret data shares using a one of the unique encryption values associated with one of the trusted agent modules to produce one of the plurality of encrypted secret data shares; and
      
      send, via the interface, the one of the plurality of encrypted secret data shares to one of the storage nodes; and
      
      for secure retrieval of the secret data, an agent processing module of the one of the trusted agent modules is operable to;
      
      in response to a secret data retrieval request, retrieve the one of the plurality of encrypted secret data shares from the one of the storage nodes;
      
      decrypt the one of the plurality of encrypted secret data shares using a decryption function corresponding to the one of the unique encryption values to recapture the one of the plurality of secret data shares; and
      
      sending the one of the plurality of secret data shares to the originating device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US13/888,324
Publication Number

US 20130246812A1
Time in Patent Office

1,779 Days
Field of Search

380277, 380286, 707999202, 713150, 713153
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 16/2255   Hash tables

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 2221/2107   File encryption

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Secure storage of secret data in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage of secret data in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links